Hi,
I am one of the editors of the CSS Masking specification[1]. The specification has a security section[2] and I got the advice to ask at webappsec for a security review. Note that the spec and this section in question is in an early stag. I am very happy to get suggestions.
To the context
===========
SVG can reference so called SVG resources. SVG resources can be paint servers, masks, clip-paths, filters. These are style description in pure XML markup, referenced by an IRI in a style property:
<svg>
<mask id="mask">
<rect width="100" height="100" />
</mask>
</svg>
<div style="mask: url(#mask)">
In this case the div box gets masked by the content of the referenced <mask> element.
Problems:
* Cycle references: <mask id="a" xlink:href="#b"/><mask id="b" xlink:href="#a"/> Since SVG resources can nearly always reference other SVG resources, a cycle detection algorithm marks and tracks visited nodes and stops if a cycle is detected for all SVG resources. This is an implementation detail but noted in SVG 1.1.
* Reference to external documents: IRI allows cross document references by IRI. <mask xlink:href="http://external.com/image.svg#mask"/> This element reference might be in a different document on a different domain.
The last point is problematic, since it should not be allowed to reference cross domain resources. The security section in CSS Masking aims to specify this for <mask> and <clipPath>.
Please ask if you need more information. I am happy to provide more details if needed.
Greetings,
Dirk
[1] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html
[2] http://dvcs.w3.org/hg/FXTF/raw-file/tip/masking/index.html#security